The interpreter engine for the core JavaScript language, independent of the browser's object model. File ONLY core JavaScript language bugs in this category. For bugs involving browser objects such as "window" and "document", use the "DOM" component. For bugs involving calls between JavaScript and C++, use the "XPConnect" component.

Created attachment 630434[details][diff][review]
WIP v0, initial sketch
Doesn't do anything yet. Builds MIR for creating a call object and storing formals to its slots. Probably the right thing to do is to split the MIR into two LIR: if the callobj needs dslots, we can do a callVM. Otherwise, we can inline callobj creation.

Created attachment 630806[details][diff][review]
part 1: make all cacheable scope objects into delegates
This patch simplifies the CallObject creation path for deep scope chains by ensuring that all cacheable shapes are delegates.

Comment on attachment 630894[details][diff][review]
patch
Jan, could you review the IonMonkey pieces? In particular I changed the very start of MIR construction which is a tricky area, it seems to work but there may be edge cases around recursion/recompilation checks.

Comment on attachment 630894[details][diff][review]
patch
Review of attachment 630894[details][diff][review]:
-----------------------------------------------------------------
Cool. It's nice to see how the IM code looks; I don't really understand it but from a high-level it looks very neat and readable.
::: js/src/ion/Bailouts.cpp
@@ +92,5 @@
> }
> }
>
> +void
> +StackFrame::initFromBailout(JSContext *cx, SnapshotIterator &iter)
How bad would it be to move this definition to Stack.cpp? I've really appreciated having everything altogether after the old bad days (you may remember the 6-file spread of (jsinterp|jscntxt)(inlines.h|.h|.cpp)). For one, it makes it easier to see patterns for the purpose of refactoring or trying understand all the different ways a frame is created. Other times, I'll be making some fix/change (adding a flag or field) and I usually just grep the file for uses of the relevant field. Lastly, it's kindof annoying when you look for a definition in the .cpp and don't find it.
::: js/src/vm/Stack.h
@@ +481,5 @@
> bool jitStrictEvalPrologue(JSContext *cx);
>
> + /* Called from IonMonkey to transition from bailouts. */
> + void initFromBailout(JSContext *cx, ion::SnapshotIterator &iter);
> + bool initCallObject(JSContext *cx);
Fortunately, there is already a function (a little lower, next to prologue()) called jitHeavyweightFunctionPrologue()) that you can reuse instead of adding initCallObject.

Created attachment 632091[details][diff][review]
mystery extra bug
The property cache test takes an in-out parameter, but mutates it even if the property cache test fails. This seems like an existing bug but only triggered with my patch queue (maybe because testing succeeds more now that objects are delegates).